feat: enhance session management by implementing edit permissions for team admins and updating session components to reflect new access controls
This commit is contained in:
Julien Froidefond
@@ -1,5 +1,5 @@
|
||||
import { prisma } from '@/services/database';
|
||||
import { getTeamMemberIdsForAdminTeams } from '@/services/teams';
|
||||
import { getTeamMemberIdsForAdminTeams, isAdminOfUser } from '@/services/teams';
|
||||
import { getWeekBounds } from '@/lib/date-utils';
|
||||
import type { ShareRole } from '@prisma/client';
|
||||
|
||||
@@ -96,12 +96,13 @@ export async function getTeamCollaboratorSessionsForAdmin(userId: string) {
|
||||
isOwner: false as const,
|
||||
role: 'VIEWER' as const,
|
||||
isTeamCollab: true as const,
|
||||
canEdit: true as const, // Admin has full rights on team member sessions
|
||||
}));
|
||||
}
|
||||
|
||||
export async function getWeatherSessionById(sessionId: string, userId: string) {
|
||||
// Check if user owns the session OR has it shared
|
||||
const session = await prisma.weatherSession.findFirst({
|
||||
// Check if user owns the session, has it shared, or is team admin of owner
|
||||
let session = await prisma.weatherSession.findFirst({
|
||||
where: {
|
||||
id: sessionId,
|
||||
OR: [
|
||||
@@ -125,18 +126,33 @@ export async function getWeatherSessionById(sessionId: string, userId: string) {
|
||||
},
|
||||
});
|
||||
|
||||
if (!session) return null;
|
||||
if (!session) {
|
||||
const raw = await prisma.weatherSession.findUnique({
|
||||
where: { id: sessionId },
|
||||
include: {
|
||||
user: { select: { id: true, name: true, email: true } },
|
||||
entries: {
|
||||
include: { user: { select: { id: true, name: true, email: true } } },
|
||||
orderBy: { createdAt: 'asc' },
|
||||
},
|
||||
shares: { include: { user: { select: { id: true, name: true, email: true } } } },
|
||||
},
|
||||
});
|
||||
if (!raw || !(await isAdminOfUser(raw.userId, userId))) return null;
|
||||
session = raw;
|
||||
}
|
||||
|
||||
// Determine user's role
|
||||
const isOwner = session.userId === userId;
|
||||
const share = session.shares.find((s) => s.userId === userId);
|
||||
const isAdminOfOwner = !isOwner && !share && (await isAdminOfUser(session.userId, userId));
|
||||
const role = isOwner ? ('OWNER' as const) : share?.role || ('VIEWER' as const);
|
||||
const canEdit = isOwner || role === 'EDITOR';
|
||||
const canEdit = isOwner || role === 'EDITOR' || isAdminOfOwner;
|
||||
|
||||
return { ...session, isOwner, role, canEdit };
|
||||
}
|
||||
|
||||
// Check if user can access session (owner or shared)
|
||||
// Check if user can access session (owner, shared, or team admin of owner)
|
||||
export async function canAccessWeatherSession(sessionId: string, userId: string) {
|
||||
const count = await prisma.weatherSession.count({
|
||||
where: {
|
||||
@@ -144,10 +160,15 @@ export async function canAccessWeatherSession(sessionId: string, userId: string)
|
||||
OR: [{ userId }, { shares: { some: { userId } } }],
|
||||
},
|
||||
});
|
||||
return count > 0;
|
||||
if (count > 0) return true;
|
||||
const session = await prisma.weatherSession.findUnique({
|
||||
where: { id: sessionId },
|
||||
select: { userId: true },
|
||||
});
|
||||
return session ? isAdminOfUser(session.userId, userId) : false;
|
||||
}
|
||||
|
||||
// Check if user can edit session (owner or EDITOR role)
|
||||
// Check if user can edit session (owner, EDITOR role, or team admin of owner)
|
||||
export async function canEditWeatherSession(sessionId: string, userId: string) {
|
||||
const count = await prisma.weatherSession.count({
|
||||
where: {
|
||||
@@ -155,7 +176,22 @@ export async function canEditWeatherSession(sessionId: string, userId: string) {
|
||||
OR: [{ userId }, { shares: { some: { userId, role: 'EDITOR' } } }],
|
||||
},
|
||||
});
|
||||
return count > 0;
|
||||
if (count > 0) return true;
|
||||
const session = await prisma.weatherSession.findUnique({
|
||||
where: { id: sessionId },
|
||||
select: { userId: true },
|
||||
});
|
||||
return session ? isAdminOfUser(session.userId, userId) : false;
|
||||
}
|
||||
|
||||
// Check if user can delete session (owner or team admin only - NOT EDITOR)
|
||||
export async function canDeleteWeatherSession(sessionId: string, userId: string) {
|
||||
const session = await prisma.weatherSession.findUnique({
|
||||
where: { id: sessionId },
|
||||
select: { userId: true },
|
||||
});
|
||||
if (!session) return false;
|
||||
return session.userId === userId || isAdminOfUser(session.userId, userId);
|
||||
}
|
||||
|
||||
export async function createWeatherSession(userId: string, data: { title: string; date?: Date }) {
|
||||
@@ -180,15 +216,21 @@ export async function updateWeatherSession(
|
||||
userId: string,
|
||||
data: { title?: string; date?: Date }
|
||||
) {
|
||||
if (!(await canEditWeatherSession(sessionId, userId))) {
|
||||
return { count: 0 };
|
||||
}
|
||||
return prisma.weatherSession.updateMany({
|
||||
where: { id: sessionId, userId },
|
||||
where: { id: sessionId },
|
||||
data,
|
||||
});
|
||||
}
|
||||
|
||||
export async function deleteWeatherSession(sessionId: string, userId: string) {
|
||||
if (!(await canDeleteWeatherSession(sessionId, userId))) {
|
||||
return { count: 0 };
|
||||
}
|
||||
return prisma.weatherSession.deleteMany({
|
||||
where: { id: sessionId, userId },
|
||||
where: { id: sessionId },
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user